You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Example:
Append to URL: ?theme=%27-console.log(%27test/%27%2bdocument.domain)-%27
forcedTheme enabled on Provider
Not everybody has CSP enabled so make sure to sanitize the data attribute/class
The value of the "theme" parameter is reflected on the page, this reflection is then stored with the page/cache. So if someone else visits that page (without using any payload) the previously injected javascript will still be returned and execute.
After a while the page/cache will reset and the injection will no longer be returned. If an attacker continuously request the page with injections the page will assumably always respond with the injections though.
The text was updated successfully, but these errors were encountered:
Some notes, if you pass %27-console.log(%27test/%27%2bdocument.domain)-%27 to the forcedTheme, you will store executable JavaScript that can lead to serious issues. May I suggests sanitising the input of forcedTheme?
Critical issue
https://github.com/pacocoursey/next-themes/blob/main/packages/next-themes/src/index.tsx#L83
Example:
Append to URL: ?theme=%27-console.log(%27test/%27%2bdocument.domain)-%27
forcedTheme enabled on Provider
Not everybody has CSP enabled so make sure to sanitize the data attribute/class
The value of the "theme" parameter is reflected on the page, this reflection is then stored with the page/cache. So if someone else visits that page (without using any payload) the previously injected javascript will still be returned and execute.
After a while the page/cache will reset and the injection will no longer be returned. If an attacker continuously request the page with injections the page will assumably always respond with the injections though.
The text was updated successfully, but these errors were encountered: